A cyber security incident team is required for each cyber assault. If you want to construct a CSIRT with skilled event handlers, you need personnel with certain skills and technical experience, as well as the ability to respond to incidents, do analysis duties, and successfully interact with your constituency and other external contacts. They must also be good problem solvers, adaptable to change, and efficient in their everyday duties. Because it is not always possible to recruit such skilled personnel, CSIRTs will occasionally foster and develop internal staff employees to move into these incident-handling jobs.

This skill summary is based on the CERT Coordination Center’s (CERT/CC) early incident-handling experiences, our observations of CSIRTs, and the experiences that others in the community have shared with us over the years.

The composition of CSIRT staff varies by team and is determined by a variety of factors, including • the CSIRT’s mission and goals; • the nature and range of services offered; • available staff expertise; • constituency size and technology base; • anticipated incident load; • severity or complexity of incident reports; and • funding.

Many teams have a core set of people who perform the most basic incident-handling services. Each CSIRT employee is required to have a minimal set of abilities in order to accomplish their job and be effective in their obligations.

These are the abilities that have been recognized as required for members of the CSIRT team.
The CSIRT team requires certain skills.

Basic Skills:

  • Personal skills
    1. Communication
      1. Written communication
      1. Oral communication
    1. Presentation Skills
    1. Diplomacy
    1. Ability to follow policies and procedures
    1. Team Skills
    1. Integrity
    1. Knowing One’s Limit
    1. Coping with the stress
    1. Problem Solving 
  • Time Management
  • Technical Skills
    • Technical Foundational Skills
    • Incident Handling Skills
    • Local team Policies and Procedures
    • Understanding/Identifying Intruder techniques
    • Communicating with sites
    • Incident Analysis

Many of the skills required by CSIRTS are borrowed from traditional systems and network administration and project management fields. It is critical that the CSIRT employees have the baseline abilities, whether they are fostered and “developed” from within organizational workers or sought and hired as additions to the current team. Providing an environment for personnel to exercise their abilities and grow technically and professionally would increase the CSIRT’s capacity to deliver valuable service to the constituency they serve, as well as enable the team to support new technologies that are incorporated into the CSIRT and the constituency.